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ABSTRACT 



A method for secure accounting and auditing of a commu- 
nications network operates in an environment in which 
many servers serve an even larger number of clients (e.g. the 
web), and are required to meter the interaction between 
servers and^lients (e.g. cgunting_the_number. of .clients that, 
were served by a server). The method (metering process) is 
very efficient and does not require extensive usage of any 
new communication channels. The metering is secure 
against fraud attempts by servers which inflate the munber 
of their clients and against clients that attempt to disrupt the 
metering process. Several secure and efficient constructions 
of this method are based on efficient cryptographic 
techniques, are also very accurate, and preserver the privacy 
of the clients. 

21 Claims, 2 Drawing Slieets 
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METHOD FOR SECURE ACCOUNTING AND 
AUDITING ON A COMMUNICATIONS 
NETWORK 

HELD OF THE INVENTION 

This inventioD relates a method for accounting and audit- 
ing of communications networks. 

BACKGROUND OF THE INVENTION 

The majority of Internet revenues come from connectivity 
and advertisement fees, yet there are almost no means to 
secure the accounting processes, which determine these fees 
from fraudulent behavior, e.g. a method to provide reliable 
usage information regarding a Web site. There is an enor- 
mous financial incentive for the Web site to inflate this data, 
and therefore measurement methods should be secure 
against malicious behavior of the site. Measurement meth- 
ods which are based on sampling are relatively protected 
from corrupt behavior of Web sites but do not provide 
meaningful data about small and medium scale sites. 

There has been a considerable amount of work on secur- 
ing online payments. However most of the revenues from 
Internet ventures do not come from direct sales: the largest 
sums of money are by far those paid for advertising and for 
connectivity to the Internet. There are many different fore- 
casts for the future distribution of Internet revenues but 
many of them agree that advertising and connectivity will 
remain the major sources of income from the Internet. In 
light of these figures it is surprising how little research has 
been conducted towards securing the accounting mecha- 
nisms that are used by advertising and connectivity provid- 
ers. 

Most of the revenues of Web sites come from advertise- 
ment fees. Although there are different forecasts for the 
market share of online advertising, the estimations are that 
very large sums of money will be invested in this media. 
Like in every other advertising channel, Web advertisers 
must have a way to measure the effect of their ads, and this 
-data affects the-fees that are charged'f or "displaying ads. 
Advertisers must therefore obtain accurate and impartial 
usage statistics about Web sites and about page requests for 
pages that contain their ads. Web sites on the other hand 
have an obvious motivation to inflate their usage reports in 
order to demand more for displaying ads. 

In the pre -Web world there were two main methods for 
measuring the popularity of mediate channels, sampling and 
auditing. Sampling, like the Nielsen rating system for TV 
programs, is survey based. It picks a representing group of 
users, checks their usage patterns and derives usage statistics 
about afl the users. In traditional types of media like tele- 
vision this method makes sense since users have a relatively 
limited number of viewing options to choose from. These 
types of media use broadcast, which operates in a one-to- 
many communication model. The Web operates in a many- 
to-many communication model and offers millions of Web 
pages to visit. Therefore although sampling based metering 
services are offered for the Internet, they do not provide 
meaningful results for any but the most popular Web sites. 

Auditing is performed by trusted third party agencies, like 
the Audit Bureau of Circulations (ABC) which audits print 
circulation. Although the sites often offer such information 
regarding Web sites themselves, it should be taken with a 
grain of salt. The Coalition for Advertising Supported Infor- 
mation and Entertainment (CASIE) states in its guidelines 
for interactive media audience measurement that "lliird 
party measurement is the foundation for advertiser confi- 



i5,508 

2 

dence in information. It is the measurement practice of all 
other advertiser-supported media". There are a number of 
companies (like Nielson/IPRO, NetCount, etc.) which offer 
third party based audit services for the Internet. They 

5 typically instaU some monitoring software at the server that 
operates the site. However, the reliability of such audit data 
depends on the site providing accurate data or not breaking 
into the monitoring module. Sites have a huge financial 
interest to exaggerate their popularity. The lesson learnt 
from software and pay-TV piracy is that such financial 
interests lead to corrupt behavior that overcomes any "light- 
weight security" mechanism. 

Today most Web advertising is displayed on a very small 
number of top popularity Web sites, like "Yahoo!" or CNN. 

J 5 It may be plausible that in spite of the great financial 
motivation such established sites will not provide inflated 
usage reports or break into audit modules that report their 
activities. 

However, while this may be true for the big sites, a large 

20 amount of advertising is displayed on smaller scale sites. It 
can also be argued that one of the main reasons that drive 
advertisers to use only the biggest sites is the lack of reliable 
audit data on smaller scale sites. The Web is so attractive 
because one can set a site of interest to perhaps only 10,000 

25 users worldwide. This number may suffice to attract some 
advertisers, provided there are reliable usage statistics. 

Advertisers can leara about the exposure of their ads by 
counting "click throughs", i.e. the number of users who 
clicked on ads in order to visit the advertiser's site. "Double- 

30 click" reported in 1996 that 4% of the visitors who view an 
ad for the first time actually click on it. This ratio changes 
according to the content of the ad, and therefore gives very 
limited information to the advertiser. Another method that 
advertisers can use is to display the ads form their own 

35 server (even when they are displayed in other sites) and 
eliminate the risk of unreliable reports from sites. However, 
this method burdens the advertiser with sending its ads to all 
their viewers and prevents the distribution of this task. The 
original cpmmunication.pattem is not preserved since a new 

40 channel (between the advertiser and the client) is used. The 
load on the advertiser's server is huge and is surely not 
acceptable for a one-time advertiser. This solution is non- 
scalable, introduces a single point of failure (the advertiser), 
and is also insecure against "fake" requests created by the 

45 site displaying the ads. 

Currently thereof no single accepted standard or termi- 
nology for Web measurement. Novak and Hoffman argue 
that standardization is a crucial first step in the way for 
obtaining successful commercial use of the Internet. They 

50 also claim that interactivity metrics rather than the number 
of hits or the number of visitors should be used to meter a 
site's popularity. The method of the present invention is 
defined to count the number of visits that a Web site 
receives. For purposes of presenting a general embodiment 

55 of the method of the present invention, this definition does 
not need to define a visit precisely. For example, it can be set 
to be a click, a user, a session of more than some threshold 
of time or of page requests from a single user; or any similar 
definition. The main requirement is that the measurement be 

60 universal to all clients and can be consolidated (for instance, 
a detailed report of the path of pages that each client went 
through in its visit cannot be consolidated into a single 
result. The number of clients whose visit lasted more than 15 
minutes can be represented as a single number). The empha- 

65 sis in this paper is in obtaining reliable usage statistics even 
when servers may try to act maliciously, and not in defining 
the type of statistics that are needed. 



08/28/2002, EAST Version: 1.03.0002 



6,055,508 

3 4 

Pitkow discussed the problems caused by caching and by Carter L. and Wegman M., Universal hash functions, J. of 

proxy usage, which hide usage information from Web serv- Computer and System Sciences, Vol. 18, 1979, 143-154. 

ers. Possible solutions like temporal analysis, cache busting, Claflfy, K., Braun, H. -W. and Polyzos, G., Applications of 

and sampUng were suggested. sampling methodologies to wide-area network trafiSc 

FrankUn and Malkhi were the first to consider the meter- 5 characterization, TR CS93-275, UCSD, 1993. 

ing problem in a rigorous approach. Yet their solutions only Coalition for advertising supported information and 

offer "lightweight security"; clients can refrain from helping entertainment, CASIE guiding principles of interactive 

servers count their visits, servers can improve their count, media audience measurement, April 1997, available at http:// 

" and'the variance of the measurement is relatively high. Such www.commercepark.com/AAAA/casie/gp/guiding princi- 
solutions cannot be applied if there are strong commercial lo ples.html. 

interests to falsify the metering results. Desmedt Y. and Frankel Y, Threshold cryptosystems, 

Micropayments are an alternative method for financing Crypto '89, LNCS 435, 1990, 307-315, 

online services. Their implementations are designed to be Diflie, W, and Hell man, M. E., New directions in 

very efficient in order for their overhead to be less than the cryptography, in: IEEE Trans, on Information Theory, 

value of the transactions. Micropayments can be used for November 1976, pp. 644-654. 

web metering, where each visit would require the client to Dwork C. and Naor M., Pricing via Processing or Com- 
send a small sum of "money"' to the server, which would bating Junk Mail, Crypto '92, LNCS 576, 1992, 114-128. 
prove many visits by showing that is earned a large sum of Estrin, D. and Zhang, L., Design considerations for usage 
money. However, all the current suggestions for micropay- accounting and feedback in Internet-works, ACM Computer 
ment schemes require the communication from the merchant ^0 Communications Review, 20(5) :5 6-66, 1990. 
(i.e. the server) to the bank (i.e. the audit-agency) to be of the pang, W., Building an accounting infrastructure for the 
same order as the number of payments that the merchant Internet, in: IEEE Global Internet, 1996, available at http:// 
received. This means that the amount of information that the www.cs.princeton.edu/~wfang/Research/revised.ps. 
audit-agency receives is of the order of the total number of Peldman P., A practical scheme for non-interactive veri- 
visits to all the metered servers. The method of the present ^^^1^ ^^.^et sharing, 28th FOCS, 1987, 427-437. 
invention is a more efficient metering scheme since there is p^j^^^^ p ^-^^^ g ^ ^ ^^^j ProbabUistic Pro- 
no need to deduct money" for chents accounts. ^^^^j Synchronous Byzantine Agreement, SIAM J, on 

The laternet is based on packet switching, i.e. there is no Comp., Vol. 26, No. 4, 1997, 873-933. 

dedicated path between two parties that are communicating p^^^g, y, demmeU P., MacKenzie P. D. and Yang M., 

through the InterneM>ut rather each packet of information is Optimal-resilience proactive pubUc-key cryptosystems, 38th 

routed separately. The Internet is essentially a network of pOCS 1997 384-393 

networks and packets are typicaUy routed through several p^^^jj^ ^ ^ -^^j^^j ^^^j^^^,^ 

different networks. These properties complicate pncmg and r u* • u* •* i-* - i * u ^nnn 

. , r I . . J • J J *u hghtweight security, Fmancial Cryptography 97, 1997. 

accounting mechamsms for Internet usage, and indeed the ^ ^ o . / ^ 

most common pricing method is to charge a fixed price ^!^P^^' ^J^^^' ^' ^IT'^'^^'w .? ' '."^f f 

which is independent of the actual number of packets which f^^^r^^"^ ^f^''^"^' ^* ^^IT T t^k, p^T ^ 

are transferred. Pricing theory based analysis indicates that L ^^^^""'^^ J^^^n^^^'"" ^^^"^^ "^"^ 

pricing Internet services according to the actual usage (at Greenwood Pub,_1994. 

-least at times of network congestion) is-supe"rior in ter^s of" "J^Kilian, Founding Cryptography on Oblivious Transfer, 

network efiBciency. Usage based pricing has a disadvantage STOC, 1988, 20-31. 

of incurring accounting and bilfing costs. It is impractical to Jarecki S. and Odlyzko A., An eflBcient micropayment 

create detailed account reports (similar to telephone system based on probabilistic polling. Financial Cryptogra- 
accounts) due to the huge number of packets. Some are 

phy *97, 1997. 

suggesting measuring usage using sampling or only at times Lesk, M., Projections for making money on the Web, in: 
of congestion (however, even producing reports for a sample '^^ Harvart Infrastructure Conference, Jan. 23-25, 1997, avail- 

of say, Viooo of the packets creates inconceivably large able at http://community.bellcore.com/lesk/iih/iih.html 

reports). MacKie-Mason and Varian also expect break- MacKie -Mason, J. K. and Varian, H. R., Pricing the 

throughs in the area of in-line distributed accounting that Internet, in: B. Kahin and J. Keller (Eds.), Public Access to 

will lower the costs of Internet accounting. the Internet. Prentice-Hall, 1994. 

A problem, which needs to be addressed, is the notion of Merkle R., Acertified digital signature, Crypto '89, LNCS 

secure and efficient metering of the amount of service 435, 1990, 218-238. 

requested from servers by clients, in Web applications and McConnac, J., European Scrambling Systems 5, Water- 

the like. Such metering methods should be realized without ford University Press, Walerford, 1996. 

substantial changes to the operation of clients and servers McEliece, R. J. and Sarwate, D. V., On sharing secretes 

(though they may require a change in the clients software and Reed-Solomon codes. Comm. ACM, 24(9): 583-584, 

and a registration process) and to their communication September 1981. 

patterns. Murphy, I. P., On-Une ads effective? Who knows for 

References sure?. Marketing News, 30(20): 1-38, September 23, 1996. 

Aho A., Hopcroft J. and Ullman J., The design and Naor, M., and Pinkas, B., Secure and Efiicient Metering, 

analysis of computer algorithms, Addison- Wesley, 1974. Advances in Cryptology— Eurocrypt '98, Springer- Veriag, 

Ben-Or M., Goldwasser S, and Wigderson A., Complete- 1998. 

ness theorems for noncryptographic fault tolerant distributed Novak T. and Hoffman D., New metrics for web media: 

computation, 20th STOC, 1988, 1-9. toward the development of web measurement standards, 

Biham, E. and Shamir, A., Differential fault analysis of 65 September 1996, Manuscript available at http:// 

secret key cryptosystems, in: Crypto '97, Springer- Veriag www2000.ogsm.vanderbilt.edu/novak/web.standards/ 

LNCS 1294, pp. 513-525. ^ webstand.html 



G8/28/2002, EAST Version: 1.03.0002 



6fit 

5 

Pedersen T. R, Non-interactive and information-theoretic 
secure verifiable secret sharing. Crypto '91, LNCS 576, 
1991, 129-140. 

Pitkow, J., In search of reliable usage statistics on the 
WWW, in: Proc. of the 6th International WWW Conf., 1997, 
available at http://www6.nttIabs.com/HyperNews/get/ 
PAPER126.html 

Rabin T and Ben-Or M., Verifiable secret sharing and 
multiparty protocols with honest majority, 21st STOC, 1989, 
73-85. 

Kinsman M., Web advertising 1997: market analysis and 
forecast, Cowles/Simba Information, Stamford, Conn, May 
1997. 

Shamir A., How to share a secret, Comm. ACM Vol. 22, 
No. 11, 1979, 612-613. 

Wegman M. and Carter L., New hash functions and their 
use in authentication and set equality, J. of Computer and 
System Sciences, vol. 20, 1981, 265-279. 

Yao A. C, How to generate and exchange secretes, 27th 
FOCS, 1986, 162-167. 

SUMMARY OF THE INVENTION 

The present invention relates to methods for measuring 
the amount of service requested firom servers by clients in a 
communications network. The methods are secure and 
efiScient, and provide a short proof for the metered data. The 
method of the present invention does not require the use of 
tamper resistant modules at the client nor at the server. 
Immediate applications are a secure measurement of visits to 
a Web site and a secure usage based accounting mechanism 
between networks. In the context of the present invention, 
the "web" is used as an archetype example for a communi- 
cations network. It should be recognized that many other 
styles of networks are amenable for using the method of the 
present invention; computer networks, telecommunications 
networks, and the like. 

The method of the present invention provides validated 
measurements of the amount of servicelhat servers perform 
for their clients, in a manner that is efficient and is secure 
against fraud attempts by servers and clients. There are two 
main applications for such methods: a certified measurement 
of the usage of Web sites, and measurement of the amount 
of traffic that a communication network delivers. Both these 
applications have a tremendous financial importance which 
makes them targets for fraud and piracy, as was the case with 
software and pay TV piracy which became multi-million 
dollar businesses (see for example McCormac for a detailed 
description of TV piracy practices). It must be concluded 
that it is essential to develop mechanisms that ensure the 
authenticity and accuracy of usage measurements against 
malicious and corrupt parties. 

According to the method for secure accounting and audit- 
ing of a communications network of the present invention, 
the network has at least one server, a plurality of clients, and 
at least one audit-agency. This method includes the steps of: 
initializing, beginning of a metered time firame, interacting 
with a client, and processing at end of time frame. The 
initializing includes an audit-agency choosing a substan- 
tially random key and the audit- agency securely sending, to 
each server and to each client, data that depends on at least 
the key and on identity-data of the server or the client 
receiving the sending. The beginning of a metered time 
frame includes the audit-agency sending a challenge to at 
least one server. The interacting with a client, of the initial- 
ized clients, includes firstly a server sending to the client a 
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challenge which depends on at least the challenge that the 
server received from the audit-agency, and secondly the 
client replying with an answer that is computationally 
dependant on the challenge that the client received and on 
5 information that the client received in its initialization step. 
The processing at end of time frame includes firstly a server 
performing a computation which depends on at least the 
answers the server received from clients, and_ secondly 
sending to the audit-agency a compact proof for the number 
10 of clients served by the server. 

According to an embodiment of the present invention, 
sending to the client a challenge is accomplished implicitly 
by computations of the servers and of the clients. According 
to another variation of the present invention, sending to the 
15 server a challenge is accomplished implicitly by computa- 
tions of the audit-agency and of the servers. 

According to another embodiment of the present inven- 
tion a proof for the number of clients served, being K clients 
visiting a server S in a time period T, includes: 

(a.) in the initializing, the audit-agency generating a 
random polynomial Q(x,y) over a predetermined finite 
field Zp, of degree k-1 in x and d-1 in y; and each 
client C receiving the polynomial Oc(y)=P(C,y) which 
2^ is constructed from P by substituting C for x, and is of 
degree d-1 in y; 
(b.) such that a client C that visits server S at date t sends 
a value Qc(St)=P(C,St) wherein St is a function of S 
and t, in Zp; 

30 (c.) and a proof generation includes, for the polynomial 
P(x,St), after serving k clients in time period T, S 
interpolating the polynomial and calculating P(0,St); 
(d.) and a proof of serving k chents in time period T by 
the audit- agency includes verifying this value by evalu- 
35 ating the polynomial P at a predetermined location. 
According to embodiments of the method of the present 
invention, the computational dependency of the challenge is 
based on hash trees, on quorum systems, on pricing-via- 
. processing, on- secure- function evaluation," on micro-" 
40 payments, or the like. 

According to another embodiment of the method of the 
present invention, the computational dependency of the 
challenge is based on secret sharing. Furthermore, error- 
correcting properties are used to reconstmct the secret. 
45 According to another embodiment of the present 
invention, the interacting includes a client sending a share to 
a server, said server evaluating a polynomial of degree d-1 
wherein said evaluating uses a computation requiring d 
multiplications using Homer's rule, and said evaluating is 
50 performed in a field Zp wherein 1/p is the error probability. 
The field Zp is set to be 32 bits long, to be with 2^^-5 
elements, to be a Galois field with 2^^ elements, or the like. 

According to an embodiment of the method of the present 
invention, the clients are divided at random into n classes, 
55 and the server is asked to prove a predetermined number of 
visits form a random class. According to another embodi- 
ment of the method of the present invention, the clients are 
divided at random into n classes, and wherein the server is 
asked to prove a predetermined number of visits from at 
60 least one predetermined class. 

According to an embodiment of the method of the present 
invention, a number of measurements in which the method 
is used is of the same order as d, the degree of y in P, times 
the number of classes n. 
65 According to an embodiment of the method of the present 
invention, interacting includes a server counting client turn- 
over or counting visits by clients of a predetermined audi- 
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ence of counting requests for royalty-payment-requiring- of requests for this content in order to decide on the 

property or counting requests for an access-cost payment- sum that is paid to the content owners, 

service by a third party or counting coupons received from (c) Reversing access costs: An application which was 

clients; and wherein processing at end of time frame suggested in [FrankHn] is to enable users a free con- 

mchides a proof for any of said countmgs. 5 section to sites whose owners are wilUng to pay for the 

Accordingtoanembodimentofthemethodoftheprescnt ^^^^^^ ^^^^^ ^^^^ ^.^^ 

invention, a server venfies the answer received from the ^^^^^^^ ^^^^ connections will be measured and the 

^ . . J. , ^,1. . c.i. - . sites will pay the users' ISPs accordingly. 

According to an embodiment of the method of the present . ^ , . ^ . , 

invention, a client's answer has a domain that is unknown to 30 *^°^PJ>°^- ^ newspaper (e.g. the Wall Street 

the server Journal) that distributes coupons to its cheats, which 

llie principal property of the metering method of the give them access to aoonUne service (e.g. for obtaining 

present invention is that the server is able to present to an online stock quotes). Then the metenng methods can be 

auditor a short proof for the number of services it has the onhne service to provide verifiable mea- 

performed. An auditor can verify this proof. Suppose that a 15 ^rements of the exact number of users who have used 

Web server generated a proof for serving one miUion dif- coupons. 

ferent clients. Then in the method, according to the present BRIEF DESCRIPTION OF THE DRAWINGS 
invention, this is a proof in its mathematical sense, i.e. its 

security is based on mathematical (cryptographic) In order to understand the invention and to see how it may 

principles, and a legitimate proof cannot be generated unless 20 carried out in practice, a preferred embodiment will now 

the server has actually served one million cHents. The proof be described, by way of non-limiting example only, with 

is short. The length of a proof for serving n clients is fixed reference to the accompanying drawings, in which: 

(independentofn) or is at most of a much smaller order than FIG, 1 is a schematic illustration of the setting of the 

n. This is essential, since otherwise the task of sending and metering scheme; 

verifying such proofs would burden the auditor; being of the 25 FIG, 2 is a schematic illustration of the basic secret 

same order of complexity as the original services. It is also sharing metering scheme; and 

important that the clients would not be overloaded by this t-t^ 1 • - c t, *■ u -n * u . 

, . . J - * .u * FIG, 3 IS a pair of schematic graphs illustratmg the robust 

auditing process. In the method, accordmg to the present . .J •* • u 

. ,1. 1- , u ,j _c scheme and the anonymity preserving scheme, 

mvention, the modifications the clients should perform are ^ ^ r & 

minimal (e.g. a simple plug-in in the client's browser) and 30 DETAILED DESCRIPTION OF A PREFERRED 

there is no need to change the communication pattern. Each EMBODIMENT 

client should obtain (only once) some personalized infor- , , ^ , , . 

mation from the auditor, which requires a single message to ^^"^^'^i P^^^^ invention, "system' and 

be sent from the auditor to the client. The methods can also scheme are often used to relate to the method of the 

be extended to protect the user's privacy and not enable a 35 Present invention, an embodunent thereof, or a significant 

mechanisms for tracing their activities. aspect tnereoi. 

For the appUcation of Web site usage metering, the The general setting in which the metering methods oper- 

method according to preferred embodiment of the present give a high level description of their operation is 

invention_also_measure the-tumover- of clients.-That-is, to - presented according to the present invention;- also specifying- 

determine the rate with which new clients approach the site. 40 ^^e requirements that the method should satisfy. In order to 

This data is important for advertisers. Such measurement be more specific the preferred embodiment, according to the 

can also prevent sites from using a fixed group of (possibly present invention, presented concentrates on methods for 

corrupt) clients to prove high popularity. metering visits to Web sites, as a non-limiting example of the 

The problem of designing accounting mechanisms that present invention, 

will operate with the existing infrastructure of the Internet 45 The setting and the general operation of the metering 

attracted some previous research [Estrin or Fang]. The methods are depicted in FIG. 1. There are servers (denoted 

preferred embodiment of the method of the present inven- S) and clients (denoted C), which interact, and the metering 

tion is innovative in providing an efiScient and secure method should measure this interaction (FIG. la). A new 

measurement of the number of packets that a network party, the audit-agency "A", is responsible for providing 

transfers for other networks, and in producing a short proof 50 measurement reports about all servers. The audit-agency is 

for this count. The method is secure against tampering trusted by all parties for the task of providing accurate 

attempts by networks that try to inflate the count of the reports (but not for other tasks, e.g. servers do not want to 

packets, which they communicated. Considering the amount provide a full list of all their clients to "A"). The metering 

of money that is expected to be paid for Internet connectivity "system", being an embodiment of the method of the present 

(e.g. 50 million users who pay $20 per month equal $12 55 invention, measures the number of visits that each server 

billion annually), it is apparent that secure accounting is receives in a certain period of time (e.g. a day), 

essential. Alternatively, the "system" can be set so that each server 

A few other applications for the metering methods can be: will provide a proof to the audit-agency as soon as it receives 

(a) Targeted audience: The methods can be used to k new visits (where k is a system parameter). A visit can be 
measure the interaction of a Web site with a specific 60 defined to be any unit which is of interest (e.g. a "hit", a 
audience that is of special interest. For example, they "click", a page visited by a user, a session of a single user, 
can be used by advertisers in a medical information » session of more than some threshold of time or hits, etc.). 
Web site to count the number of MDs (medical doctors) The operation of the system, being an embodiment of the 
who visit the site. method of the present invention, is divided into the foUow- 

(b) Royalties: Servers might offer content (or links to 65 ing stages: 

content) which is the property of other parties. The (a) Initialization: (FIG. 16) ITiis stage occurs once at the 

metering methods can be used to measure the number beginning of the life time of the system, or every some 
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long period of time (e.g. monthly or yearly). The able to show at least k hits". The parameters delta and 

audit-agency chooses a random key and securely sends epsUon should be minimized. 

to each server and client some data that depends on this Privacy: The metering scheme should not degrade the 

key and on the identity of the receiving party. This privacy of clients and servers, and in particular should not 

communication is one-way, from the audit-agency. (In 5 require servers to store the details of every visit and send 

some applications, hke Web site usage metering, it is these details to the audit-agency. A nice feature would be to 

preferable that clients perform some initial registration gn^ble cUent anonymity in the sense that even a server 

process before receiving the initialization data. This ^^^^ ^ble to tell whether the sameclient performed 

should prevent fraudulent acquiring of initialization several visits. 

data for multiple clients by the same body). It should be Turnover: An important feature of a metering scheme is to 

noted that initialization of additional participants in the Pleasure the turnover of clients, i.e. the ratio between old and 

accounting may occur at any time. ^hents who visit a server. For example, it should be 

(b) Beginning of metered time frame: (FIG. Ic) A sends possible to tell whether most of the clients who visit a server 
to each server S a difterent challenge. during a certain day have also visited it in previous days. 

(c) Interaction with a chent: (FIGS. ld,e) S sends to the 15 Metering turnover is important for advertisers, they can tell 
chent C a challenge, which depends on the challenge for example whether new or returning visitors see their ads, 
that the server received from the audit- agency. C replies It also measures the loyalty of chents to sites. Such entering 
with an answer that is a function of the challenge and can also prevent corrupt servers or "entrepreneurs" from 
of the information that C received in the initialization organizing a large group of cHents and seUing their services 
stage. 20 as "visitors-per-pay". Such a group might be composed of 

(d) End of time frame: (FIG. 1^ S performs a computation legitimate clients and therefore their visits should be 
which depends on the answers it received from clients, counted. However, if a server relies on a single group of 
and sends to the audit-agency a proof for the number of chents to prove that it had many visitors then it will not be 
chents it served. The audit- agency might query S a Uttle able to prove a nice turnover of clients. The method of the 
to verify the correctness of the proof. 25 present invention is also useful to check turnover of chents. 

This is the most general form of a metering method. In According to the present invention there are several 

order to save communication rounds it is preferable, accord- directions for designing secure and eflHcient metering 

ing to the preferred embodiment of the present invention, methods, based on hash trees, pricing-via-processing, secure 

that no explicit challenges are sent; but rather the challenges function evaluation and micro-payments. The metering 

can be implicitly computed by the servers and chents. 30 methods with the best properties are based on secret sharing. 

Note that the only communication between the audit- According to the present invention there are several 

agency and the clients is a single one-way initiaUzation directions for designing secure and eflBcient metering 

message in the initiahzation stage. The changes in the methods, based on hash trees, pricing-via-processing, secure 

operation of the chent are minimal. They should ideally be function evaluation and micro-payments. The metering 

coded in the Web browser but can also be operated from a 35 methods with the best properties are based on secret sharing, 

plug-in or a helper application. According to an embodiment of the present invention. 

Requirements for the method according to the present schemes check whether a server receives k visits during a 

invention include: certain time frame (e.g. during a day). A different approach 

. Security: It. should be -impossible for a server S-to inflate - is that whenever a~server has k~new visits it proves this fact 

the count of visits that it claims to have served. The server 40 to the audit-agency. 

should be able to mathematically prove that it had a certain Ak-out-of-n secret sharing method enables a secret to be 

number of visits. On the other hand, a server should be divided into n shares such that no k-1 shares reveal any 

protected from subversive clients who might not be willing information about the secret, but any k shares enable to 

to help it in creating the proof. For example, if the server is recover it. The preferred embodiment of the present inven- 

able to detect such clients at the time that they request 45 tion is based on a modified version of the polynomial secret 

service then it can refrain from serving them. sharing scheme of Shamir. However, there are also many 

EfiBciency: EfiSciency is a strict requirement of metering other secret sharing schemes which are apphcable, for use 

schemes since otherwise the large scale of the metered with the method of the present invention, in the construction 

interaction would make the schemes useless (as is the case of metering schemes. Other embodiments of the method of 

with using micropayment schemes for metering). It is essen- 50 the present invention also relate to different variations of 

tial for scalability that the metering system, being an secret sharing based schemes, which achieve different 

embodiment of the method of the present invention, pre- security, eflSciency and accuracy properties. The basic 

serve the existing communication pattern, and in particular scheme according to the present invention checks whether 

not require communication between clients and the audit- servers received k visits in a certain time frame, where k is 

agency, or require mass communication between the server 55 a predefined parameter. 

and the audit- agency. The computation and memory over- In "Shamir's method" the secret can be any value V in a 

heads should be minimal, especially for the cUent, who does finite field F (e.g. V is an integer between 0 and p-1 where 

not have a direct gain from the metering system. An addi- p is prime). The party that wishes to perform the secret 

tional motivation for fimhing the overhead of chents is to sharing chooses a random polynomial Q(x) of degree k-1, 

enable them to quickly compute their answers. This allows 60 subject to the condition Q(0)«V. The n shares are the values 

servers to adopt a policy of not serving clients until they Q(l), Q(2), . . . , Q(n). Given any k of them it is possible to 

send the required response. perform a LaGrange interpolation and obtain Q and V=Q(0). 

Accuracy: The results of the metering scheme should be It is easy to verify that no k-1 shares define Q(0). 

as accurate as possible. The requirements are of the form "if The rational behind establishing metering methods on 

a servers shows k hits, then with probabihty(l-delta) it had 65 secret sharing is to give each client a share, which it will 

at least l-epsilon)k hits", and "if a server S had at least send to a server when visiting it, ITien after serving k clients 

(l+epsilon)k hits, then with probability (1 -delta) it would be the server recovers the secret, which is the proof for serving 
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k clients. However, this straightforward implementation has The following theorem outlines the capabilities of a coali- 

only a single secret and cannot be used by many servers or tion of Hs corrupt servers and He corrupt clients. Its proof 

for several measurements. There is also the problem of is straightforward, 

protecting the server from malicious clients who send incor- Theorem 1 

rcct share, which cause an incorrect "secret" to be computed. 5 Consider a coalition of Hs corrupt servers and He corrupt 

The method, according to the present invention, solves these clients which has been operating for Ht time frames, such 

problems and others. The basic method has three that Hc<k, Hs*Ht<d and (He*d)+(Hs*Ht*k)- 

parameters, k, d, and p. it enables servers to prove that they (Hc*Hs*Ht)<d*k|^ (the first component of the. left side of 

received k visits, where k is a predefined parameter. The the inequality is the information known to the corrupt 

parameter d defines the number of measurements for which lO clients, the second component is the information known 

the method can be used, and p is the probability with which to the corrupt servers, and the third is the information 

a server can generate a proof without serving k clients. which was counted twice). Let S be one of the coalition 

Following is a description of the method set to enable members, which received less than k-Hc visits in one of 

servers to prove that they served k visits during a day. the time frames. Then S has a probability of at most 1/p 

The Basic Scheme (see FIG. 2) is in finding the proof required for this time frame. 

The basic metering scheme uses a bivariate polynomial The polynomial P should be replace in general at least 

rather than a univariate one, in order to share many secrets every d time frames, and typically much earlier (against 

that serve as proofs for the different servers. The system has coalitions of servers). A polynomial with a higher degree d 

three parameters k, d and p. These parameters determine the can be used for a longer time, but then the storage and 

number of visits measured in a time-frame (k) and the 20 computational requirements from the client are also higher, 

security (d and p). Another method which reduces the power of coUuding 

Initialization: The audit-agency A chooses a random servers and does not increase the online run time of clients 
bivariate polynomial P(x,y) over a finite field Zp, which is is to use polynomials of the form P(x,y,z) and consequently 
of degree k-1 in x and degree d-1 in y. It sends to each chent Qc(y,z), where y is substituted with the name of the server 
C the univariate polynomial Qc(y)=P(C,y), which is con- 25 that is serving the client, and z is substituted with the time, 
structed from P by substituting the value C for the variable Then at the beginning of time firame t the client can run a 
X. That is, Qc is a restriction of P(x,y) to the line x«C, and preprocessing stage and substitute I for z. Since this opera- 
is of degree d-1. (The scheme will be used to meter k visits, tion can be performed off-line, the degree of z can be 
and the parameter d defines the number of time firames in relatively high. During run time the client would only have 
which the scheme can be securely used), 30 to substitute the identity of the server. If the system should 

Regular operation: When client C approaches a server S be immune against coalitions of Hs servers for Ht time 

in time frame t, it sends to S the value Qc(St) the input is a frames, then the online run time is reduced from 0(Hs*Ht) 

concatenation of S and t, and assuming, for simplicity, that to 0(Hs). 

it is in Zp and that no two pairs (S,t)(S',t') are mapped to the Robustness 

same element. 35 Even if very few corrupt or erroneous clients send incor- 

Proof generation: After k clients have approached the rect shares to a server, it cannot reconstruct the secret. The 

server in time frame t it has k values, P(Cl,St) . . . P(Ck,St), error correction properties of Reed-Solomon codes can be 

and can perform a Lagrange interpolation and compute used to efficiently reconstruct the secret of a k-out-of-n 

P(0,St). This value is the proof that the sejver sends to^the, -secret sharing scheme if there are"kH^2t'shares and at nfosl t 

audit-age"hcy. The audit-agency can verify the sent value by 40 of them are corrupt. However, this might not be a sufficient 

evaluating the polynomial P at the point (0,St). (The poly- protection if there are many corrupt clients, 

nomial P has kd coefficients but its evaluation at this point Verifiable secret sharing (VSS) enables the recipients of 

is efficient since the x coordinate is 0 and only d terms are shares to verify that the dealer has sent them correct shares, 

non-zero.) Non-interactive VSS schemes (e.g. of Feldman or Pedersen) 

The probability with which a server can generate a proof 45 are especially useful. In one application the dealer of the 

without receiving k visits is 1/p, and the system can there- shares (i.e. the audit-agency) is usually trusted, but clients 

fore safely use p of 32 bits (say 2"-5). Alternatively the might send corrupt shares. VSS can be employed to prevent 

system can use GF(2^^). As the typical fields are small, the that. However, known non-interactive VSS schemes use 

basic arithmetic operations are very efficient. large multiplicative groups (so that extracting discrete loga- 

Security 50 rithms is hard), and the server should perform about MIN 

For a given bivariate polynomial P the server is required (d,k) exponentiations to verify each share it receives from a 

to find the "proof * which is the value P(0,y) at a certain point client, lliis is highly inefficient compared to the basic 

(0,y). The security relies on the d-wise independence of the metering scheme, and non-suitable for metering, 

values of P along any line parallel to the y axis, and the The following verification method is much more efficient 

k-wise independence of P's values along any line parallel to 55 than using VSS. It is based on the following ideas from 

the x axis. In order to be able to evaluate P everywhere the Carter, Rabin, and Wegman: Suppose that A asks C to 

server needs to know all the kd coefficients, whereas in order communicate to S a value u in Zp, and wants to prevent C 

to calculate P on points on the line x=0 (or x=i for this from sending to S any different value. To authenticate the 

matter) the server should know d values of P on this line. value, A can choose random values a,b in Zp, compute 

A corrupt server can be assisted by other corrupt clients or 60 v=((a*u)+b mod p), and send (a,b) to S and (u,v) to C. Later 

servers. A corrupt client C can donate his polynomial and C sends to S the pair (u,v) and then S can verify that 

then the server can evaluate P at every point (C,y) and needs v=((a*u)+b MOD p). The probability that S finds u before it 

one less client in order to prove that it had k visits at a receives the information from C, or that C can cheat S, is at 

specffic time. The information that the client donates is most 1/p. 

equivalent to d coefficients of P. A corrupt server can donate 65 The following metering scheme is robust. It is depicted in 

the information that it received from clients in previous time FIG. 3 (together with an anonymity-preserving scheme), 

frames, which is equivalent to k coefficients per time frame. The scheme uses the following polynomials, all of them 
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chosen at random by A over a field Zp, which is of degree 
k-1 in X and of degree d-1 in y. A(x,y), of degree Ck in x 
and Cd in y. And B(y), of degree Cd in y. The audit-agency 
also computes the polynomial V(x,y)=A(x,y)*P(x,y)+B(y) 
in Zp. 

Initialization: Every client C receives P and V restricted to 
the line x=C. Suppose the scheme is to be used in Ct time 
frames, T(l) . . . T(Ct). Then a server S receives Ct 
restrictions of the polynomials A and-B- to lines parallel to 
the X axis, defined by substituting ST(1) . . , ST(Ct) for the 
value of y. 

The operation of the audit-agency in the initialization 
stage might seem to be too demanding since the polynomial 
V is pretty large, of degree Ck*(k-1) in x and degree 
Cd*(d-1) in y. However since V equals A*P+B, the audit- 
agency can substitute x=C in A and in P (which takes 
0(k+Ck) multiplications), and then multiply the two result- 
ing polynomials in tie 0(d*Cd). 

Operation: At time frame t the client C sends to S the 
values P(C,St) and V(C,St). S evaluates A and B and verifies 
the identity V=AP+B at the point (C,St). If the identity does 
not hold then the client is considered corrupt. As before, 
after receiving information from k clients the server is able 
to perform an interpolation and find the value P(0,St). 

Note that C cannot cheat S with probability better than 1/p 
without knowing the values of A and B at (C,St). The 
security against S finding the required value of P (with 
probability greater than 1/p) is as in the non-robust scheme. 
Theorem 2 

If the above scheme is used for at most Ct measurements, 
then a coalition of at most Ck+1 clients or at most Cd/Ct 
servers has a probability of at most 1/p to succeed in sending 
a corrupt share to another server. 

Increased EfiBciency by Using Classes 
The operation of the client and the audit-agency only 
requires the evaluation of a d degree polynomial, and the 
server should interpolate a polynomial of degree k. Polyno- 
mial interpolation is a relatively eflBcient operation, the 
complexity of interpolation between k points is only 
' 0(k*log'^(k)) multiplications (see e.g. [Aho] p. 299) 

These operations are not too complex since the basic 
operations are performed over a small field. However, the 
parameters k and d are typically large and therefore it might 
be desirable to decrease the overhead of the parlies. Fol- 
lowing is described how to decrease the overhead (for 
simplicity this for the basic scheme). 

The audit-agency decides on a parameter k' and defines 
n=k/k' classes by choosing n random polynomials Pl(x,y) . 
. . Pn(x,y), each of degree k'-l in x and degree d-1 in y. It 
then maps clients to classes by using a random mapping R 
from the set of clients to 1 ... n, and giving client C the 
polynomial Q/?(c),c(y)'*PR(o (C,y) (the client knows to 
which class it is associated). Clients send to S the same 
messages as before, but to prove thai it had k' clients from 
a specific class the server only need to interpolate a k' degree 
polynomial. 

In one possible variant of this method the audit-agency 
should require the server to prove that it had k' clients from 
a specific class r(S,t) (randomly chosen by the audit- 
agency). The proof is the value P^^ ,j (0,St). An alternative 
option is to require the server to prove that it had k" visits 
in each class (where k"<k* but k'-k" is small). According to 
the method of the present invention, there are also many 
other choices for electing a number of visits to be proven (or 
their classes). 

The drawback of using classes is that the threshold is 
probabilistic, which is of course less desirable. For example. 
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for the first variant it is possible (with low probability) that 
even after k clients have sent their shares the server received 
less than k' shares from the relevant class and does not have 
the required proof. 

It follows from the Chemoff bound that the probability 
that after (k'*c)+(c*n) random visits there are less than k' 
clients from a certain class is at most 2*exp(-c"2/(2*c+k')). 
This means for example that if this probability is required to 
be less than 1 then c should be approximately the square root 
of 10* k', and then the relative size of the "gray area" is c/k' 
which is approximately the square root of 10/k. 

The waiting time for the second variant behaves accord- 
ing to a variant of the "coupon collector" problem. 

Anonymity 

Anonymity is desired by many clients. An even stronger 
property is unlinkability, which prevents servers from link- 
ing different visits as originating from the same client. At 
first it seems that secret sharing based metering schemes do 
not support this property since a client C always sends 
values of P at points in which x=C. Following is described 
how to achieve unlinkability of different visits by the same 
cUent (exemplified for the basic system). 

The anonymity preserving scheme is depicted in FIG. 3, 
and is as follows: 

Initialization: As before the audit- agency generates a 
random polynomial P over the field that is used. It also 
generates for every client C a random polynomial Qc(y) of 
degree u. Consider the polynomial P(Qc(y),y), which is of 
degree (d-l)+(u*(k-l)). It is a restriction of P to the curve 
defined by x=Qc(y). The audit-agency sends to C the coef- 
ficients which enable it to calculate values of P(Qc(y),y). 

Operation: When the client C visits a server S at time t it 
sends it the values (Qc(h),P(Qc(h),h)), where h=St. After 
receiving k such values the server can interpolate the poly- 
nomial P(x,h) and calculate the proof P(0,h). The informa- 
tion that a client sends in u+1 visits is unlinkable since any 
u+1 points can be fit to a curve of degree u. Therefore 
examining this information does not reveal whether these 
-visiLs-were from-the same client." " ' ' ~ 

Note that a corrupt audit-agency cooperating with the 
servers can find out the activity of a client. A possible way 
around that is for the client to choose its polynomial itself 
and conduct the initialization process via a secure function 
evaluation, or alternatively for the client and audit-agency to 
run an oblivious-transfer process to generate the client's 
polynomial. 

Furthermore, consider a server who received k visits in 
each of the first u+1 time frames, and in time frame u+2 
receives a visit from a client who made one visit in every 
previous time firame. How can the server check which are 
the previous u+1 visits of this chent? Each visit is hidden 
among the k visits of its time frame. 

An obvious algorithm requires 0(k") operations, and 
therefore might not be practical. For some choice of param- 
eters this problem might not be easy, to say the least. 

The methods according to an embodiment of the present 
invention only check whether a server had k visits, where k 
is a predefined parameter. A more fine-grained measurement 
can be achieved by using a smaller value of k (e.g. k«1000). 
In this case the server is required to provide a different proof 
for every 1000 visits by presenting different values P(0,Hi) 
of the polynomial at different locations (Hi is a random 
challenge picked by the audit-agency and the location (0,Hi) 
is used for proving the 1000 visits between visit 1000(i-l)+l 
and visit lOOOi). This variant requires the server to send to 
its clients the value Hi which is relevant at the time of their 
visits. 
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Secret sharing based methods have the property that a only be computed by a party which gets k of the clients to 

server which received almost k visits cannot generate any compute their partial functions Fc(x) and send her the 

partial proof and is in the same position as a server which results. The notion of a threshold computation of a function 

received no visits. However, a server which received only was introduce din Desmedt, and the most recent implemen- 

k'<k visits, where k-k' is small, can ask the audit-agency to 5 Nation of threshold RSA is suggested in Frankel. However 

send it k-k' shares. It can then recover the secret and prove known implementations were not designed for large values 

k' visits. of n and k, and are far too inefficient in terms of computation 

The server-end of the system can be coded rather simply and communication to be apphcable for metering, 

-as a CGf script: There can be many approaches for imple- T^iij^x^r-rnDTK^^ r *u • r <: *u 

menting the client-end of the system for web applications, lo METERING PERIOD: For the simphcity of the 

For exam le' exposition, an embodiment of the present invention relates 

^ ' to checking whether a server had k visits in a certain time 

(a) A simple proxy on the cUent's machine can perform frame, e.g. during a day. A different approach is that when- 
the handling of metering related messages for the ever the server has k visits, it proves this to the audit-agency 
client. (e.g. a popular server might send such proofs several times 

(b) The chent browser can invoke a simple helper appli- a day, whereas a less popular server might do so every few 
cation whenever it encounters a Web page that requires days). In such schemes, the proof for k visits cannot be the 
metering data. The helper application will calculate the ^^^^^ P(0,St), where t is the date. Rather, for every proof the 
required message to be sent lo the server audit-agency should provide the server with a new challenge 

. I-.- h, and the server should then ask clients to send it values 

(c) A plug-m can be used mstead of a helper apphcation, j ^^^^ ^^^ ^^ 

and can have better mteroperability with the browser. Corrupt servers might try to send to clients false chal- 

(d) AJava applet can be used to perform the calculations lenges h' in order to obtain values P(C4i') they are not 
at the client side. It can be downloaded at the first time entitled to receive. (This can be done in order to receive 
the client approaches a server that requires metering several values from a client which has several visits in the 
data. It must be certified by a trusted party (e.g. the 25 duration of a single challenge, or to obtain values that might 
audit-agency) and should have permission to access the assist another server in computing its proof). A simple 
sensitive data (the coefficients of the polynomial) at the solution to this problem is that challenges h start with the 
cliciil- identity of the server and are always even numbers. Then a 

(e) It is possible to change the code of the browser to server which should answer the challenge h receives the 
perform the metering operations. This is possible in 30 polynomial P(.,h+1) by the audit-agency. The server should 
browsers with accessible source code, e.g. as is prom- send to client C the challenge h and the value P(C,h+l) as 
ised for Netscape 5.0. a proof for the validity of the challenge. 

After the client has sent the required metering information CHECKING TURNOVER OF CLIENTS 
to the server it might try to approach different pages on the An important data for advertisers is the rate with which 
same site, or try to receive the same page at a later time 35 the visitors to a site change (whether the site has loyal clients 
during the same day. For these operations it might be or whether most of the clients do not return). This measure- 
required to send again the same metering data. A simple ment is also important against organized groups of clients 
solution is to store the metering data in a cookie. The server that might offer their service as visitors-for-pay in order to 
will automatically^ receive.the cookie, check its-validityrand - *increase-the popularity count of "sites. A'site' that bases its 
only if it is not updated would demand new information 40 popularity on such visitors will not be able to show a nice 
from the client. It is easy to ensure this at the cUent side, that turnover of clients. 

the chent machine can verify that it is not being "milked" by If a server known k'<ok shares they enable it to wait for 

the server for information that the server should not receive. just k'-k clients before it can provide the proof for being 

Approaches for Designing Metering Schemes visited by k clients. It is possible to detect a server that 

In addition to secret sharing, there are several other 45 operates in this manner by a system that estimates the 

directions that seem helpful for designing efficient and intersection of the groups of clients that contributed to 

secure metering schemes. different proofs. Advertisers might have additional motiva- 

Hash trees: In this solution each client signs a confirma- lions for checking the turnover of clients, 

tion for its visit. The server arranges these confirmations in Following is a coarse description of a system for checking 

a hash tree Merkle and sends its root to the audit-agency, so chent turnover. Suppose a server is proving k visits per day. 

which later verifies the values of random leaves. Additional Then the audit-agency can use a one-way hash function h 

care should be taken to prevent the server from storing the with a range of say 10 k. ITie server is given a challenge t 

same value at different leaves (e.g. by using families of between 1 and 10 k and is required to present, as soon as 

perfect hash functions, or by requiring the server to sort the possible, a share of a chent (from a later time period) which 

leaves). 55 is mapped by h to t. If the clients of a server constantly 

Pricing via processing: This approach is similar to the change then this share is expected to be foimd after about 10 

suggestion of Dwork and Naor for combating junk email. time periods. If the server has a low turnover than it would 

The server is given a large computational task by the need considerably more time periods to present a suitable 

audit-agency. It should ask each client to perform a small share. 

part of this task, whose final completion proves the visit of 60 ADAPTABILITY: The secret sharing based metering 

k chents. Special care should be taken to prevent the server schemes according to an embodiment of the present inven- 

from performing the task by itself, to prevent clients from tion check whether a server received k clients, where k is a 

sending incorrect results, and to minimize the variance of the predefined quota. It is of course preferable to have a more 

stopping time. flexible measurement unit that enables to count the exact 

'Ilireshold computation of a function (e.g. threshold com- 65 number of visits that a server received, A more fine grained 

putation of the RSA function): In order to compute a system can be achieved by setting the quota k to be smaller 

function F each client C receives a share Fc, and F(x) can (e.g. k-1000 for measuring web advertising). 
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A server which received almost k visits cannot provide the 
required proof and appears to be in the same situation as a 
server who received very few visits. However, if a server 
received k'<k visits and k-k' is small it can inform the 
audit-agency of this situation and ask to receive k' values of 
the polynomial that it has to interpolate. After receiving 
these values the server should be able to perform the 
interpolation and compute the required proof 

We claim: - 

1. A method for secure accounting and auditing of a 
communications network, said network having at least one 
server, a plurality of clients, and at least one audit-agency, 
the method comprising the steps of: initializing, beginning 
of a metered time frame, interacting with a client, and 
processing at end of time frame; wherein: 

(a.) initializing includes an audit- agency choosing a sub- 
stantially random key and said audit-agency securely 
sending, to each server and to each client, data that 
depends on at least said key and on identity-data of the 
server or the client receiving said sending; 

(b.) beginning of a metered time frame includes the 
audit-agency sending a challenge to at least one server; 

(c.) interacting with a client, of said initialized clients, 
includes firstly a server sending to the client a challenge 
which depends on at least the challenge that the server 
received from the audit-agency, and secondly the client 
replying with an answer that is computationally depen- 
dant on the challenge that said client received and on 
information that said client received in its initialization 
step; and 

(d.) processing at end of time frame includes firstly a 
server performing a computation which depends on at 
least the answers said server received from clients, and 
secondly sending to the audit-agency a compact proof 
for the number of clients served by said server. 

2. A method according to claim 1 wherein sending to the 
client a challenge is accomplished implicitly by computa- 
tions of the servers and of the clients. _ 

- 3 -A method according to clainfr wherein sending to the 
server a challenge is accomplished implicitly by computa- 
tions of the audit-agency and of the servers. 

4. A method according to claim 1 wherein a proof for the 
number of clients served, being K clients visiting a server S 
in a time period T, includes: 

(e.) in the initializing, the audit- agency generating a 
random polynomial Q(x,y) over a predetermined finite 
field Zp, of degree k-1 in x and d-1 in y; and each 
client C receiving the polynomial Qc(y)=P(C,y) which 
is constructed from P by substituting C for x, and is of 
degree d-1 in y; 
(f.) such that a client C that visits server S at data t sends 
a value Qc(St)=P(C,ST) wherein St is a function of S 
and t, in Zp; 

(g.) and a proof generation includes, for the polynomial 
P(x,St), after serving k clients in time period T, S 
interpolating the polynomial and calculating P(0,St); 
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(h.) and a proof of serving k chents in time period T by 
the audit- agency includes verifying this value by evalu- 
ating the polynomial P at a predetermined location. 

5. A method according to claim 1 wherein the computa- 
5 tional dependency of the challenge is based on hash trees, 

6. A method according to claim 1 wherein the computa- 
tional dependency of the challenge is based on pricing-via- 
processing. 

7. A method according to claim 1 wherein the computa- 
tional dependency of the challenge is based on secure 
function evaluation. 

8. A method according to claim 1 wherein the computa- 
tional dependency of the challenge is ba.sed on micro- 
payments. 

9. A method according to claim 1 wherein the computa- 
tional dependency of the challenge is based on secret 
sharing. 

10. A method according to claim 9 wherein error- 
correcting properties are used to reconstruct the secret. 

11. A method according to claim 1 wherein the interacting 
20 includes a client sending a share to a server, said server 

evaluating a polynomial of degree d-1 wherein said evalu- 
ating uses a computation requiring d multipUcations using 
Homer's rule, and said evaluating is performed in a field Zp 
wherein 1/p is the error probability. 
25 12. A method according to claim 11 wherein the field Zp 
is set to be 32 bits long. 

13. A method according to claim 11 wherein the field Zp 
is set to be with 2^^-5 elements. 

14. A method according to claim 11 wherein the field Zp 
is set to be a Galois field with iP" elements. 

15. A method according to claim 1 wherein the clients are 
divided at random into n classes, and wherein the server is 
asked to prove a predetermined number of visits from a 
random class. 

16. A method according to claim 1 wherein the clients are 
35 divided at random into n classes, and wherein the server is 

asked to prove a predetermined number of visits from at 
least one predetermined class. 

17. A method according to claim 1 wherein a number of 
^measurements in which the method is used~is~of "the same 

40 order as d, the degree of y in P, times the number of classes 
n. 

18. A method according to claim 1 wherein interacting 
includes a server counting client turnover or counting visits 
by clients of a predetermined audience or counting requests 

45 for royalty-payment-requiring-property or counting requests 
for an access-cost payment-service by a third party or 
counting coupons received from clients; and wherein pro- 
cessing at end of time firame includes a proof for any of said 
countings. 

19. A method according to claim 1 wherein a server 
verifies the answer received from the client. 

20. A method according to claim 1 wherein a client's 
answer has a domain that is unknown to the server. 

21. A method according to claim 1 wherein the compu- 
tational dependency of the challenge is based on quorum 
systems. 

* X> « * 
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